Symantec Fourth Response to Mis-lssuance Questions 


1) Please provide the CP, CPS, and Audit Letter(s) used for each RA partner since the acquisition by 
Symantec of the VeriSign Trust Services business in 2010. 

All RA partners operate under the Symantec Trust Network CP which is updated multiple times per year. 
All RA partners operate under a CPS that is superseded by any differences in the CABR BR. Our RAs 
archive their policy documentation at the following locations: 

CrossCert http://www.crosscert.com/symantec/certificationeng.pdf 
Certisign http://vtn.certisign.com.br/repositorio 
Certisur https://www.certisur.com/repository 

Certsuperior https://www.certsuperior.com/docs/CPS_Final_2016_version_4_l_0.pdf 

Contrary to our agreements with them and their obligations, RAs have not consistently updated their 
CPS annually. This is one reason we decided to terminate the RA program. 

We have provided audits that cover periods beginning when audits were required by CABF BR at 
https://bugzilla.mozilla.org/show_bug.cgi?id=1334377. 

The following audit is not yet posted, it is not in our online records, we are investigating: 

Certisign: 2012 audit (note: all certificates issued during this audit period have expired) 

Certsuperior began validation of SSL/TLS certificates in 2012. Their audits covering October 2012 onward 
are posted. We acknowledge that SmartIT is not licensed by WebTrust to perform audits in Mexico for 
Certsuperior. The Symantec compliance organization detected this error and required Certsuperior to 
engage a licensed WebTrust auditor during review of their last audit. Certsuperior corrected this and 
engaged with Deloitte. The timing of that change in auditors drove Certsuperior's change in audit 
anniversary date. 

The documents provided allow relying parties to examine the practice and audit of all valid certificates 
issued by RAs. All RAs, including CrossCert, will be required to complete final audits as we wind down 
the RA program. 



